3 min read

Healthcare data breach costs reach record high at $10M per attack: IBM report

The unrelenting barrage of cyberattacks against healthcare organizations is causing major financial damage as health systems struggle to mitigate the costs of data breaches.

A healthcare data breach now comes with a record-high price tag—to the tune of $10.1 million on average, according to IBM Security's annual Cost of a Data Breach Report. IBM looked at looked data breaches from March 2021 to March 2022.

That’s up 9.4% from the same timeframe a year earlier. Healthcare has had the highest breach-related financial damages for 12 consecutive years, according to IBM's report.

The average breach in healthcare increased by nearly $1 million and the cost has jumped 41.6% since the 2020 report.

Across industries, an eye-popping 60% of organizations said they had to raise prices to cover the expense of a breach.

Among critical infrastructure organizations such as financial services, industrial, technology, energy, transportation, communication, healthcare, education and public sector industries, 28% experienced a destructive or ransomware attack, while 17% experienced a breach because of a business partner being compromised

Among 550 organizations across various industries, 83% have had more than one data breach.

RELATEDHealthcare data breaches hit all-time high in 2021, impacting 45M people

Health systems are paying a hefty price for getting hacked. A massive cyberattack in May 2021 cost Scripps Health $112.7 million through the end of June, with lost revenue bearing most of the cost.

Universal Health Services was hit with a devastating attack in 2020 that took down all its IT systems, leading to a network shutdown at 250 of its hospitals around the country. That attack cost the health system $67 million in lost revenue and recovery, according to an HHS report.

An attack on the University of Vermont, an academic medical facility, cost $54 million, including rebuilding the computer network and lost revenue, officials said.

Tenet recently reported it saw an 11% decline in its hospital revenue in the second quarter of 2022 due in part to a major cyberattack.

The IBM report found that technology-based security solutions can help reduce the cost of data breaches. Organizations with fully deployed security artificial intelligence and automation cost $3 million less than breaches at organizations with no security AI and automation deployed.

"This 65.2% difference in average breach cost—between $3.15 million for fully deployed versus $6.20 million for not deployed—represented the largest cost savings in the study. Companies with fully deployed security AI and automation also experienced on average a 74-day shorter time to identify and contain the breach, known as the breach lifecycle, than those without security AI and automation—249 days versus 323 days," the report authors wrote.

The use of security AI and automation jumped by nearly one-fifth in two years, from 59% in 2020 to 70% in 2022.

Among all industries, detection and escalation costs surpassed lost business costs as the largest expenses comprising the cost of a data breach, for the first time in six years, the report found.

These financial pressures come as insurers won’t cover damages in some cases. A June report from the Government Accountability Office found that while cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware, private insurers have been taking steps to limit their potential losses from systemic cyber events.

RELATEDMay cyberattack cost Scripps nearly $113M in lost revenue, more costs

For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages, according to GAO. The Terrorism Risk Insurance Program (TRIP) covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program’s criteria to be certified as terrorism, even if they resulted in catastrophic losses, the GAO report said.

Scripps Health received $35 million from its insurers to cover the $133 million price tag associated with its cyberattack, according to a quarterly financial disclosure.

The University of Vermont collected $30 million from its insurer, while United Health Services received $26 million, Politico reported.

GAO suggested that the Treasury’s Federal Insurance Office and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency assess whether a government insurance option is needed.

There are growing calls from health system executives for the government to step in and provide more support better security for critical infrastructure.

President Joe Biden signed a law in March that requires critical infrastructure organizations to swiftly report certain cyber incidents and ransomware payments to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency.

A bipartisan Senate bill introduced in March also aims to shore up the healthcare industry’s cyber defenses shortly after White House warnings of potential Russian cyberattacks. The so-called Healthcare Cybersecurity Act would direct the DHS' CISA and Department of Health and Human Services (HHS) to work side by side on bolstering cybersecurity readiness among healthcare and public health organizations.

Cybersecurity breaches hit an all-time high in 2021, exposing a record amount of patients' protected health information (PHI), according to a report from cybersecurity company Critical Insights.

In 2021, 45 million individuals were affected by healthcare attacks, up from 34 million in 2020. That number has tripled in just three years, growing from 14 million in 2018, according to the report, which analyzes breach data reported to the HHS by healthcare organizations.

From January through July 2022, the HHS Office of Civil Rights database has tallied 373 data breaches against healthcare organizations.